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IDENTIFYING SUPERSINGULAR ELLIPTIC CURVES 



ANDREW V. SUTHERLAND 

T-H ■ 

-»^^^ ' Abstract. Given an elliptic curve E over a field of characteristic p, we con- 

sider how to efficiently determine whether E is ordinary or supersingular. We 
O 1 analyze the complexity of several existing algorithms and then present a new 

yJ ' approach that exploits structural differences between ordinary and supersingu- 

rj ' lar isogeny graphs. This yields a simple algorithm that, given E and a suitable 

non-residue in F 2 , determines the supersingularity of E in 0{n^ log n) time 
and 0{n) space, where n = O(logp). Both these complexity bounds are sig- 
nificant improvements over existing methods, as we demonstrate with some 
practical computations. 
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^ ■ 1. Introduction 

-)— » . 

"5 ' An elliptic curve E over a field F of prime characteristic p is called supersingular 

if its p-torsion subgroup E[p]{F) is trivial; see [7, §13.7] or [121 §V.3] for several 

equivalent definitions. Otherwise, we say that E is ordinary. Supersingular curves 

fvq , differ from ordinary curves in many ways, and this has practical implications for 

^ ' algorithms that work with elliptic curves over finite fields, such as algorithms for 

^D , counting points [16 , generating codes |17| . computing endomorphism rings [5 , and 

'^ ' calculating discrete logarithms [lU]. Given an elliptic curve, one of the first things 

we might wish to know is whether it is ordinary or supersingular, and we would 
like to make this distinction as efficiently as possible. 

The answer to this question depends only on the isomorphism class of E over F, 
which is characterized by its j-invariant j{E). It is known that E can be supersin- 
gular only when j{E) € Fp2, thus we may restrict our attention to the case that F 
is a finite field F, C ¥p2. We also recall that E is supersingular if and only if 
^E{¥q) = 1 mod p; see [19] for proofs of these facts. 

There is a simple Monte Carlo test that quickly identifies ordinary elliptic curves. 
When q = p, one picks a random point P on the curve and computes the scalar 
multiple {p + l)P. If (p -I- 1)P 7^ then the curve is ordinary, and if (p + 1)P = 
then the curve is likely to be supersingular (see ti2.3l for the case q = p^). If several 
repetitions of this test fail to prove that E is ordinary, then it is almost certainly 
supersingular. But this approach cannot prove that E is supersingular, just as the 
Miller-Rabin primality test [llj cannot prove that an integer is prime. 

To prove that E is supersingular, one may verify that ^E{¥q) = 1 mod p using a 
point-counting algorithm, such as Schoof 's algorithm [TSl [H] . With a variant of the 
SEA algorithm (see ^2.2p . this can be accomplished in 0{n^ llogn) time using O(n^) 
space, where n — logq. The computer algebra systems Magma ^ and Sage [20] 
both use this approach to identify supersingular curves. 
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But it is natural to ask whether one can do better. We show that this is indeed 
the case, presenting an algorithm that runs in 0{n^ log n) time and 0{n) space. 
Rather than counting points, we rely on structural differences between ordinary 
and supersingular isogeny graphs. The resulting algorithm is easy to implement 
and much faster than methods based on point counting, as may be seen in Table [1] 

In the first step of the algorithm we must solve a cubic equation, and in each 
subsequent step we need to solve a quadratic equation. To obtain a deterministic 
result, we assume that we are given a quadratic non-residue and a cubic non-residue 
in Fp2 to facilitate these computations. When Fp2 is constructed using a generator, 
this generator already provides the non-residues we require. Alternatively, non- 
residues can be efficiently obtained by sampling random elements, yielding a Las 
Vegas algorithm. 

2. Existing Algorithms 

Before presenting the new algorithm, we briefly review some standard methods 
for testing supersingularity and analyze their complexity. Over fields of character- 
istic 2 or 3, an elliptic curve E is supersingular if and only if j(£') = 0, a condition 
that is trivial to check given an equation for the curve. As noted in the introduc- 
tion, we may assume E is defined over ¥p2 (otherwise E is ordinary) . Thus we shall 
work over a finite field F^ of characteristic p > 3, where q is either p or p^. 

We use M(n) to denote the cost of multiplying two n-bit integers, which we 
may bound by M{n) = 0(nlog7illog7i) = 0{n), via [M]. All of our bounds are 
expressed in terms of n = logp, which is proportional to the size of the input for 
our problem, the coefficients of the curve E. 

2.1. Exponential time algorithms. If E is in Weierstrass form y^ = f{x), then 
E is supersingular if and only if the coefficient of x^"^ in /(x)^^"^^/^ is zero, and this 
implies that if E is in Legendre form y^ = x{x— l)(a; — A), then E is supersingular 

if and only if YJILo (7)^^' = 0. where m = {p - l)/2; see [H Thm. V.4.1]. These 
criterion are convenient and easy to state, but they are computationally useful only 
when p is very small, since the time required to apply them is exponential in n. 

2.2. Polynomial time algorithms. Schoof's algorithm [15] computes 4t^E{¥q) in 
0{n^) time and 0{n'^) space. This immediately yields a deterministic polynomial- 
time algorithm for testing supersingularity, since E is supersingular if and only if 
4j^E{¥q) = 1 mod p. The improvements of Elkies and Atkin incorporated in the 
SEA algorithm [H [16] are not immediately applicable, since they rely on results 
that do not necessarily apply to supersingular curves [121 Prop. 6.1-3]. However, as 
remarked by School |161 p. 241], supersingular curves can be identified using similar 
techniques. Let us briefly fill in the details. 

Recall that for any prime i ^ p., the classical modular polynomial $£ £ ^i-^^ , y\ 
has the property that two j-invariants ji, J2 S Fg satisfy ^i{2\,22) = if and only 
if ji — j{Ei) and J2 = j(£'2) for some elliptic curves Ei and £'2 related by a 
cyclic isogeny of degree £; see [HI Thm. 12.19]. If Ei and E2 are isogenous, then 
#£'i(Fg) — #£'2(Fg), thus El is supersingular if and only if £'2 is. Since every 
supersingular j-invariant in characteristic p lies in Fp2 , if £ is supersingular then 
the univariate polynomial (pt^EiX) = ^g{j{E),X) splits completely in Fp2[A'], for 
every prime i ^ p- However, if E is ordinary, this is not the case. 
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Proposition 1. Let j{E) e Fp2 and assume j{E) ^ 0,1728lI Let S be a set of 
primes £ y^ p with product M > 2p. Then E is supersingular if and only if (pi^E 
splits completely in ¥p2[X] for every £ (£ S . 

Proof. The forward implication is addressed by the discussion above. For the re- 
verse, suppose for the sake of contradiction that E is ordinary and that (J)i^e splits 
completely in ¥p2[X] for all £ e S. It follows from [5, Thm. 2.1] (or see ^ that 
t'^ — Ap^ is divisible by ^^, where i = p^ + 1 — ifE{¥p2) is the trace of Frobenius of 
E/¥p2. Thus t^ = 4p^ mod £^ for each £ e S, and therefore t"^ = Ap"^ mod M^, by 
the Chinese Remainder Theorem. The Hasse bound implies t^ < 4p^, so we must 
have t'^ = 4p^, since M^ > 4p^. Thus t = ±2p, and therefore #_E(Fp2) = 1 mod p. 
But this implies that E is supersingular, which is a contradiction. D 

To prove the supersingularity of E /¥q, it is enough to check that 4>i^e splits 
completely in ¥p2 [X] for each of the first m primes £ with product M > 2p. This 
can be done without factoring (l)e^E- One removes all linear factors from 4>e,E as 
follows: first let / = (p^^E and compute g = gcd{f{X),XP — X), then repeatedly 
set / <— f/g and g <— gcd{f,g) until deg g = 0. If at this point deg/ = 0, then 
(pg^E splits completely over Fp2 and otherwise it does not. When j{E) lies in ¥p, 
we may instead work in Fp[X] and remove both linear and quadratic factors from 
4'i,E with a similar approach. 

Using precomputed modular polynomials, this yields a deterministic algorithm 
that runs in 0{n^M{n^)/ \ogn) — 0(n'*llogri) time and O(n^) space, assuming 
Kronecker substitution j24l §8.4] is used to multiply polynomials in Fp2 [X] of degree 
0{n) in time 0(M(n^)). The space can be reduced to 0(n'^ logn) by computing 
modular polynomials as required, but this significantly increases the running time. 

2.3. A Monte Carlo algorithm. For a supersingular curve E over a field of 
characteristic p > 3 it follows from [13] that 

(i) if E is defined over ¥p then #E{¥p) = p + 1; 
(ii) either ^(Fp2) = (Z/(p- 1)Z)2 or ^(Fp2) = (Z/(p+ 1)Z)2. 

This motivates the following algorithm. 

Algorithm 1. Given an elliptic curve E/¥q with q\p^: 

1. If q = p: pick a random point P e E{¥p) and return true if {p + 1)P = 0, 
otherwise return false. 

2. If q = p^: pick a random point P e E{¥p2) and return true if either 
{p — 1)P — OT {p + 1)P — 0, otherwise return false. 

If the algorithm returns false then E is ordinary. We now show that if the 
algorithm returns true, then E is very likely to be supersingular (for large q). 

Proposition 2. Given an ordinary elliptic curve E /¥q, Algorithm 1 returns true 
with probability at most 8^/q/{y/q — 1)^ = 0{q~^''^). 

Proof. First, let q ~ p. Let H be the (p + l)-torsion subgroup E{¥q)[p + 1]. Then 
H = TLjmxL x Z/7tt,2Z, where m\ divides mi and g— 1. Since m\ also divides p-|- 1, 
we have m\ < 2. We now show mi < 4^/^. If not, then p-|- 1 is the unique multiple 
of mi in the Hasse interval [(^ - 1)^, (^ + l)^]. But then #E[¥p) = p + 1, 
contradicting the fact that E is ordinary. Thus ^H = mimi < 8^. 



We note that j(E) = (resp. 1728) is supersingular if and only if p ^ 1 mod 3 (resp. 4). 
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Now let q = p'^. Let H be the union of Hi ^ E{¥g)[p-l] and H2 = E{¥g)[p+1]. 
Then #ili < 4:y/q, else (p— 1)^ is the unique multiple of #-ffi in the Hasse interval, 
yielding a contradiction as above. Similarly, #ii/2 < 4yg, and therefore #iJ < 8^. 

In both cases. Algorithm 1 outputs true only when the random point P lies 
in H, which occurs with probability ^H/ifE{¥q) < 8^/{y^ - 1)^. D 

Algorithm 1 is a Monte Carlo algorithm with one-sided error. For q > 7 the error 
probability given by Proposition [2] is bounded below 1 and can be made arbitraril 
small (but never zero) by repetition. Using standard techniques, the random poin 
P can be obtained in 0(nM(n)) — 0{n^) expected time, and this also bounds the 
cost of the scalar multiplications. 

3. ISOGENY GRAPHS 

As above, we work in a finite field ¥q of characteristic p > 3. For each prime 
£ y^ p we define the (directed multi-) graph Ge{¥q) of Fq-rational £-isogenies. 

Definition 1. G{(¥q) is the graph with vertex set ¥q and edges (ji, J2) present with 
multiplicity k whenever J2 is a root of ^i(ji, X) with multiplicity k. 

As in i)2.2[ the polynomial $£ G Z[X, Y] is the classical modular polynomial that 
parametrizes £-isogenous pairs of j-invariants; see [9l §5.2]. It is symmetric and has 
degree ^ + 1 in both variables, thus the in-degree and out-degree of each vertex of 
Gi{¥q) is at most £ + 1. These degrees need not coincide (e.g., for the vertices 0, 
1728, and their neighbors); when we speak of the degree of a vertex we refer to its 
out-degree. We note that Gg{¥q) may contain self-loops, edges of the form (ji, ji). 

Each vertex of Gi(¥q) is the j-invariant j{E) of an elliptic curve E defined 
over ¥q, and we may classify each vertex as ordinary or supersingular. We may 
similarly classify the edges and connected components of Ge{¥q), since every edge 
lies between vertices of the same type (ordinary or supersingular). As noted in 
W2.21 ii j{E) is a supersingular j-invariant then the polynomial ^i{j{E),X) splits 
completely in ¥p2 [X], and it follows that for q > p, every supersingular componeni|j 
of Gi{¥q) is a regular graph of degree £+ 1. 

However, the ordinary components of Gi{¥q) are not regular graphs of degree 
£ + 1; they contain many vertices of degree less than £ + I, and this is the basis of 
our algorithm. Given an elliptic curve E defined over Fp2 , our strategy is to search 
for a vertex of degree less than 3 that is connected to j [E) in G2 (Fp2 ) . If we find 
such a vertex, then E is ordinary, and if we can prove no such vertex exists, then 
E is supersingular. To do this we need to understand the structure of the ordinary 
components of G2(Fp2). All the facts we require apply more generally to G'^(Fg), 
so we continue in this setting. 

A detailed analysis of the structure of the ordinary components of Gi{¥q) was 
undertaken by Kohel in his thesis [8], and they are now commonly called £- volcanoes^ 
a term introduced by Fouquet and Morain [5]. The structure of an ^-volcano is 
determined by the relationships between the endomorphism rings of the elliptic 
curves corresponding to its vertices. Here we record only the facts we need, referring 
to [51 IH] for proofs and a more complete presentation. 



In practice one does not use a uniform distribution over E{¥q), one constructs a uniformly 
random point in E{¥q) — _E(Fq)[2]. This is easier, and better, for the purposes of the algorithm. 
There is in fact only one supersingular component of GtiV 2); see [S] Cor. 78]. 
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Let j{E) be a vertex in an ordinary component V of Gi{¥q) (an ^-volcano). 
Recall that the endomorphism ring of an ordinary elliptic curve is isomorphic to an 
order O in an imaginary quadratic field K. We have the inclusions Z[7r] C O C Ok, 
where Z[7r] is the order generated by (the image of) the Frobenius endomorphism tt, 
and Ok is the maximal order of K (its ring of integers). The order O depends only 
on the isomorphism class j{E), while the orders Z[7r] and Ok depend only on the 
isogeny class of E and are invariants of V . 

We may partition the vertices of V into levels Vq, . . . ,Vd, where the level Vi in 
which j{E) lies is determined by the ^-adic valuation i = vi{[Ok ■ O]). The integer 
d = vi[Ok ■ ^[""l] is the depth (also called the height) of V, and may be 0. From 
the norm equation 

(1) 4:q = t^-v^D, 

where q = N(tt), t = tin, D = disc(ii'), and d = i^iiv), we have 

(2) d < log, 

Level Vd is the floor of the ^-volcano V. Its vertices are distinguished by their 
degree, which is at most 2. Every other vertex in V (if any) has degree £ + 1. 

Proposition 3. Let j{E) he a vertex at level Vi of an (.-volcano V of depth d. 

(i) The degree of j{E) is £ + I if and only if i < d. 

(ii) If i = < d then at least £ ~ 1 of the edges from j{E) lead to Vi. 

(iii) If Q < i < d then one edge from j{E) leads to Vi-i and the rest lead to V^+i. 

(iv) If < i — d then j{E) has just one outgoing edge and it leads to Vd-i- 

Proof See ^ Thm. 2.1] and [8, Prop. 23]. D 

Given E/¥q, our goal is to either find a path from j(£') to the floor of its i'- volcano 
in Ge{¥q), or prove that no such path exists. We define a path as follows. 

Definition 2. A path (of length k) in Gi{¥q) is a sequence of vertices jo,ji, ■ ■ ■ ,jk 
such that ^i{jo,ji) — and ji+2 is a root of^i{ji+i,X)/{X — ji) for <i< k—1. 

In terms of a walk on the graph, this definition prohibits backtracking except 
when there are multiple edges leading back to the previous vertex. Edges that lead 
toward the floor (from level Vi to V^+i) are called descending. Proposition [3] implies 
that every vertex of V not on the floor has at least £— 1 descending edges. Any path 
that starts with a descending edge can only be extended by descending further, and 
this must lead to the floor within d steps (this is called a descending path in [5]). 

We can summarize these results in purely graph-theoretic terms. For any edge 
(jo ; Ji ) in Gf {¥q ) , not necessarily ordinary, let Rk {jo , ji ) denote the set of vertices jk 
for which there exists a path jq, ji, . . . , jk of length k. 

Corollary 1. Let jo be a vertex of Gi{¥q) of degree £ + 1. 

(i) V jo is ordinary, then Gi{¥q) contains £—1 edges {jo,ji) for which the set 

Rk{jo,ji) is empty for some \ <k < log, \/4q + 1. 
(ii) If JQ is supersingular and q > p, then for every edge (jo, ji) the set Rk{jo,ji) 
is nonempty for all k > 1. 
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4. The algorithm 



We now present our algorithm, which, given an elhptic curve over a field of 
positive characteristic, returns true if E is supersingular and false otherwise. 

Algorithm 2. Given an elliptic curve E/F with chari^ ~ p> 0: 

1. If j(£') ^ Fp2 then return false. 

2. If p < 3 then return true if j(£') — and false otherwise. 

3. Attempt to find three roots ji,J2,J3 of ^2{j{E),X) in Fp2. 

If ^2{j{E),X) does not have three roots in Fp2 then return false. 

4. Setj'^^jiE) ioTi = 1,2,3. 

5. Let TO = [log2pJ + 1, and for fc = 1 to m: 

a. Set MX) ^ <^2ij^,X)/{X - j,') and set f, 4- j„ for i = 1, 2, 3. 

b. Attempt to find a root ji of fi{X) in Fp2, for i = 1, 2, 3. 

If any fi{X) does not have a root in Fp2 then return false. 

6. Return true. 

After ruling out some trivial cases, the algorithm begins in step 3 by computing 
the outgoing edges from the vertex j (E) in G2 (Fp2 ) , using the modular polynomial 

$2(A, Y)=X^ + Y^ - X^Y^ + USSiX^Y + Y^X) - 162000(^2 + Y^) 

+ 40773375Xy + 8748000000(A + Y)~ 157464000000000. 

If the vertex j{E) does not have degree 3 then E must be ordinary and the algorithm 
terminates. Otherwise, it attempts to extend each of the three edges {j{E),ji) to a 
path of length ?ti + 1 > log2 \/4p^ + 1 in step 5. If £' is ordinary than one of these 
attempts must fail, and otherwise E must be supersingular, by Corollary [TJ 

Thus the algorithm is correct. We now analyze its complexity, considering two 
possible implementations, one probabilistic and one deterministic. As in fj2l we let 
M(n) denote the cost of multiplication and express our bounds in terms of n = log p. 

4.1. Probabilistic complexity analysis. The work of Algorithm 2 consists es- 
sentially of solving a cubic equation in step 3 and at most 3m = 0{n) quadratic 
equations in step 5. With a probabilistic root-finding algorithm [JH Alg 14.5], we 
expect to use 0{n) operations in Fp2 for each equation, yielding a total expected 
running time of 0{n^) operations in Fp2, using storage for 0(1) elements of Fp2. 
This gives an expected running time of 0{n^M{n)) — 0{n^ log n Hog n) using 0{n) 
space. The output of the algorithm is not affected by any of the random choices 
that are made (it is always correct), thus we have a Las Vegas algorithm. 

Proposition 4. Algorithm 2 can be implemented as a Las Vegas algorithm with an 
expected running time of 0{n^ log nWogn), using 0{n) space. 

4.2. Deterministic complexity analysis. We now consider how we may obtain 
a deterministic algorithm, given some additional information. First, we note that 
the choice of the root ji in step 5 can be fixed by ordering Fp2 with respect to some 
basis. Second, we may apply the quadratic formula and Cardano's method (valid 
over any field of characteristic not 2 or 3), to solve the equations arising in steps 3 
and 5 by radicals. To find the roots of a quadratic or cubic polynomial that splits 
completely in Fp2 [X] , it sufiices to compute square roots and cube roots in Fp2 . 
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For any prime r, computing an rth root in a finite field ¥q can be reduced to 
an exponentiation and a (possibly trivial) discrete logarithm computation in the 
r-Sylow subgroup of F* For r = 2 this is the Tonelli- Shanks algorithm P?l 118). 
and the generalization to r > 2 is due to Adleman, Manders, and Miller [T]. For the 
discrete logarithm computation we require a generator 7 for the r-Sylow subgroup 
Hr of F* (which is necessarily cyclic) . Using the algorithm in [22] we can compute 
discrete logarithms in Hr using 0(nlogn/llogn) operations in Fg, assuming r and 
the degree of Fq are fixed. This yields a bit-complexity of 0(M(n)nlogn/llogn) — 
0{n^ log n), which dominates the cost of exponentiation. 

When Hr is not trivial, any element a of Fg that is not an rth-power residue 
yields a generator for Hr'. simply let 7 = a'-'"^-'/*, where s = r'^'-(i~'^\ This yields 
the following proposition. 

Proposition 5. Algorithm 2 can be implemented as a deterministic algorithm that 
runs in 0{n^ log n) time using 0{n) space, given a quadratic non-residue and a 
cubic non-residue in Fp2 . 

As noted earlier, we can efficiently obtain non-residues by sampling random 
elements. Given a uniformly random a e F* if we let 7 = a^'i~^>/^ as above, 
then 7 generates Hr if and only if 7"' '' 7^ 1, which occurs with probability 1 — 1/r. 
Alternatively, if we are given a generator for Fp2 (the coefficients of E may be 
specified in terms of such a generator), then we already have an element that is 
both a quadratic and a cubic non-residue. 

We remark that while the complexity bound in Proposition [5] is slightly worse 
than the bound in Proposition |4l in practice the deterministic approach is usually 
faster; the 2-Sylow and 3-Sylow subgroups of most finite fields are very small, and 
in this case the discrete logarithms used to compute square roots and cube roots 
take negligible time. 

4.3. Average case complexity. The bounds given in Propositions H] and [5] are 

worst-case complexity bounds. We now consider the performance of Algorithm 2, 
on average, when given a random elliptic curve over Fp2 . 

Proposition 6. Given an elliptic curve whose j -invariant is uniformly distributed 
over¥p2, the expected running time of Algorithm 2 is 0{n?\ogn\\ogn). 

Proof. By [191 Thm. 4.1], the proportion of supersingular j-invariants in Fp2 is 
0{\/p). It follows from Propositions |4] and [5] that these cases have a negligible 
impact on the expected running time. Given an ordinary elliptic curve with j- 
invariant jo, the running time of Algorithm 2 is 0(nE[d — i -\- 1]) field operations, 
where d is the depth of the 2-volcano in G2{¥p2) containing joj E^nd Vi is the level in 
which jo lies. By Proposition|31 for d > we have #Vb < #Vl and #Vi — #Vi+i/2, 
for <i < d. This implies that E[(i— i-l-1] is 0(1), and the proposition follows. D 

The bound in Proposition |S] applies to both the probabilistic and deterministic 
implementations of Algorithm 2 considered above. With a probabilistic implemen- 
tation, the expected running time of Algorithm 2 is within a constant factor of the 
running time of the Monte Carlo approach used in Algorithm 1, and for almost 
all values of p (those for which p^ — 1 is not divisible by an unusually large power 
of 2 or 3), this is also true of the deterministic implementation. Remarkably, this 
constant factor actually favors Algorithm 2, which identifies most ordinary curves 
even more quickly than Algorithm 1 (see Tabled]). 
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Table 1. Performance results (CPU times in milliseconds). 
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5. Computational results 

Table [1] compares the performance of Algorithm 2 with the implementation of 
the IsSuPERSlNGULAR function provided by the Magma computer algebra system. 
The Magma implementation relies on two standard methods for distinguishing su- 
persingular curves: it first performs a Monte Carlo test to quickly identify ordinary 
curves (as in Algorithm 1), and then applies the modular polynomial approach 
described in W2.'2\ Our implementation was built on the Gnu Multiple Precision 
Arithmetic Library (GMP) [6^, which is also used by Magma. All tests were run 
on a single core of an AMD Opteron 250 processor clocked at 2.4 GHz. 

Each row of Table [T] corresponds to a series of tests using a fixed bit-length b. 
For each value of b we selected 5 random primes p in the interval [2''"^, 2''], and for 
each prime p we generated 100 elliptic curves defined over ¥p and 100 elliptic curves 
defined over Fp2 , with uniformly distributed j-invariants. As one might expect, all 
of these randomly generated curves were ordinary, and the average times to process 
these curves are listed in the "ordinary" columns of Table [TJ 

To test performance on supersingular inputs, for each prime p we constructed a 
supersingular curve over Fp using a variant of the CM method described in [3^ . This 
involves picking a discriminant D < with (— ) = — 1 and —D prime. The Hilbert 
class polynomial H]j(X) is then guaranteed to have an Fp-rational root jq, which 
is necessarily the j-invariant of a supersingular elliptic curve. In order for this to 
be feasible, the discriminant D cannot be too large; we used random discriminants 
in the interval [2'^^,2'^^], and computed Hd{X) modp using the algorithm in [2P. 

Over Fp, the supersingular j-invariants obtained in this fashion are not uniformly 
distributed over the set of supersingular j-invariants in Fp. However, one expects 
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the running times of both Algorithm 2 and the Magma implementation to be es- 
sentially independent of D, and this appears to be the case. Over Fp2, we are able 
to obtain a nearly uniform distribution of supersingular j-invariants by performing 
a random walk on the graph G2 (Fp2 ) , starting from a vertex defined over Fp con- 
structed using the CM method described above. The supersingular component S 
of 6*2 (Fp2) is a Ramanujan graph [12', and this implies that, starting from any 
vertex of S, a random walk of 0{n) steps on S yields a nearly uniform distribution 
on its vertices. 

5.1. Discussion of results. Table 1 indicates a significant performance advantage 
for Algorithm 2, both asymptotically (as predicted by the complexity analysis), 
and in terms of its constant factors. It is worth noting that for both ordinary 
and supersingular inputs, the Magma implementation is substantially slower when 
working over Fp2 rather than Fp. This is to be expected, given the higher cost 
of finite field operations in Fp2. By contrast. Algorithm 2 always works in Fp2, 
and one might suppose that its performance should be essentially independent of 
whether the input curves is defined over Fp or Fp2 . As can be seen in the timings 
in Table 1, this is not quite the case. There are two reasons for this. 

First, for a random elliptic curve E/¥p2, the probability that the vertex j{E) 
has degree 3 in G2(Fp2) is, asymptotically, only 1/6. This means that in approx- 
imately 5/6 of the cases (whenever (/)£^s(X) does not split completely in Fp2[X]), 
Algorithm 2 terminates in step 3. But if we restrict to E/¥p, this happens in just 
1/3 of the cases (namely, whenever (f)i^E{X) is irreducible in Fp[X]). This difference 
explains why Algorithm 2 is actually somewhat faster, on average, when given a 
random curve over Fp2 rather than Fp. 

Second, our implementation relies on a practical optimization that can be applied 
whenever the input curve is defined over Fp, and this optimization yields nearly a 
3-fold speedup on supersingular inputs. Rather than working entirely in the graph 
G2(Fp2), we begin by searching for a path in G2(Fp) from i{E) to a vertex of 
degree 1, walking three paths in parallel as usual. Such a vertex ji will will be 
found within 0(1) steps, on average. The vertex ji will necessarily have degree 3 in 
G2(Fp2), and if E is ordinary, then the two edges that lead from ji to vertices that 
are not defined over Fp must be descending edges. It then suffices to extend just 
one path containing one of these edges, rather than walking three paths in parallel. 
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